Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions scripts/linux-mcp-container.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#!/bin/bash
#
# Wrapper script to run linux-mcp-server in a container via podman.
# Use this in AI agent MCP configs for a cleaner setup.
#
# Environment variables (matching linux-mcp-server official env vars):
# See: https://github.com/rhel-lightspeed/linux-mcp-server
#
# Additional env vars for container configuration:
# MCP_CONTAINER_IMAGE - (optional) Container image to use
#
# Example AI agent config:
# {
# "mcpServers": {
# "linux-mcp-server": {
# "command": "/path/to/linux-mcp-container.sh",
# "env": {
# "LINUX_MCP_USER": "root",
# "LINUX_MCP_SSH_KEY_PATH": "/home/user/.ssh/id_rsa",
# "LINUX_MCP_LOG_LEVEL": "DEBUG"
# }
# }
# }
# }
#

set -e

# Defaults
SSH_KEY="${LINUX_MCP_SSH_KEY_PATH:-$HOME/.ssh/id_rsa}"

@coderabbitai coderabbitai Bot Dec 15, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Validate SSH key existence before mounting.

The script defaults to $HOME/.ssh/id_rsa but never checks if it exists. Podman's mount error will be cryptic and may not make the root cause obvious to users. Adding a simple existence check improves debuggability.

Apply this diff to validate the SSH key before attempting to mount:

 # Ensure logs directory exists
 mkdir -p "$LOGS_DIR"
+
+# Validate SSH key exists
+if [[ ! -f "$SSH_KEY" ]]; then
+  echo "Error: SSH key not found at $SSH_KEY" >&2
+  exit 1
+fi

Also applies to: 41-41

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with this comment. Adding a check for the SSH key is a good idea.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@subpop, thank you for confirming! The SSH key validation will help users quickly identify configuration issues before the container attempts to start, making the error messages much clearer. Let me know if you need any clarification on the implementation.


🧠 Learnings used
Learnt from: CR
Repo: rhel-lightspeed/linux-mcp-server PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-05T22:00:25.960Z
Learning: Applies to src/linux_mcp_server/tools/*.py : Use `mcp.tool()`, `log_tool_call`, and `disallow_local_execution_in_containers` decorators when creating tools

IMAGE="${MCP_CONTAINER_IMAGE:-quay.io/redhat-services-prod/rhel-lightspeed-tenant/linux-mcp-server:latest}"
LOGS_DIR="$HOME/.local/share/linux-mcp-server/logs"

# Ensure logs directory exists
mkdir -p "$LOGS_DIR"

@coderabbitai coderabbitai Bot Dec 15, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Logs directory permissions may restrict container write access.

The mkdir -p "$LOGS_DIR" command creates the directory with the current user's umask. If the container runs as UID 1001 (as configured), it may lack write permissions to a directory created by a different user, causing log failures.

Apply this diff to ensure the container user can write to the logs directory:

-# Ensure logs directory exists
-mkdir -p "$LOGS_DIR"
+# Ensure logs directory exists and is writable by container user
+mkdir -p "$LOGS_DIR"
+chmod 755 "$LOGS_DIR"

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents
In scripts/linux-mcp-container.sh around line 35, the mkdir -p "$LOGS_DIR" call
can create the directory with umask-restricted permissions that prevent the
container running as UID 1001 from writing logs; after creating the directory,
change ownership to the container UID/GID and set permissive write permissions
(for example chown -R 1001:1001 "$LOGS_DIR" and chmod -R 0755 "$LOGS_DIR") so
the container user can write to the logs directory reliably.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a reasonable precaution to take.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@subpop Thank you for acknowledging the concern! Let me know if you need any help implementing the permission changes or have questions about the approach.


🧠 Learnings used
Learnt from: CR
Repo: rhel-lightspeed/linux-mcp-server PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-05T22:00:25.960Z
Learning: Applies to src/linux_mcp_server/tools/*.py : Use `mcp.tool()`, `log_tool_call`, and `disallow_local_execution_in_containers` decorators when creating tools


# Build podman command
PODMAN_ARGS=(
run --rm -i
--userns "keep-id:uid=1001,gid=0"

@coderabbitai coderabbitai Bot Dec 15, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the script file
find . -name "linux-mcp-container.sh" -type f

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 108


🏁 Script executed:

# List the repo structure to understand the project layout
git ls-files | head -30

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 768


🏁 Script executed:

# Search for Dockerfile or podman-related files
fd -e Dockerfile -e containerfile -o -name "*container*" -o -name "*podman*" 2>/dev/null | head -20

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 58


🏁 Script executed:

# Examine the main script
cat -n ./scripts/linux-mcp-container.sh

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 2078


🏁 Script executed:

# Check the main Containerfile
cat -n Containerfile | head -80

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 3188


🏁 Script executed:

# Check the devcontainer Containerfile
cat -n .devcontainer/Containerfile

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 697


🏁 Script executed:

# Get more of the Containerfile to see user setup
cat -n Containerfile | tail -40

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 1557


🏁 Script executed:

# Search for useradd or RUN commands that set up the mcp user
rg "useradd|groupadd|chown" Containerfile -A 2 -B 2

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 225


🏁 Script executed:

# Look for any documentation about container setup or user requirements
cat -n README.md | head -100

Repository: rhel-lightspeed/linux-mcp-server

Length of output: 4156


Consider making UID/GID configurable to match Containerfile's flexibility.

The hard-coded uid=1001,gid=0 matches the default ARG UID=1001 in the Containerfile and is documented in the README. However, the Containerfile allows UID to be overridden at build time. If someone rebuilds the image with a different UID, the script will silently fail with permission errors. Make these configurable via environment variables (e.g., MCP_UID and MCP_GID) with sensible defaults and document in script comments.

🤖 Prompt for AI Agents
In scripts/linux-mcp-container.sh around line 40, the --userns option hardcodes
uid=1001,gid=0 which can mismatch a rebuilt image; make UID/GID configurable by
reading MCP_UID and MCP_GID environment variables (defaults MCP_UID=1001 and
MCP_GID=0), validate or fallback to the defaults if empty/non-numeric, and
substitute those variables into the --userns argument; add a short comment above
explaining the env vars and defaults so the behavior is documented.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure this is necessary. I doubt many people will rebuild the container image using a different UID.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@subpop, that's a fair point. If rebuilding with a custom UID is an edge case for your users, the current hardcoded approach keeps things simpler. The defaults match the Containerfile and should work for the typical deployment scenario. I'm good with keeping it as is.


🧠 Learnings used
Learnt from: CR
Repo: rhel-lightspeed/linux-mcp-server PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-05T22:00:25.960Z
Learning: Applies to src/linux_mcp_server/tools/*.py : Use `mcp.tool()`, `log_tool_call`, and `disallow_local_execution_in_containers` decorators when creating tools

-v "$SSH_KEY:/var/lib/mcp/.ssh/id_rsa:ro,Z"
-v "$LOGS_DIR:/var/lib/mcp/.local/share/linux-mcp-server/logs:rw,Z"
)

# Pass through all linux-mcp-server environment variables
[[ -n "$LINUX_MCP_USER" ]] && PODMAN_ARGS+=(-e "LINUX_MCP_USER=$LINUX_MCP_USER")
[[ -n "$LINUX_MCP_KEY_PASSPHRASE" ]] && PODMAN_ARGS+=(-e "LINUX_MCP_KEY_PASSPHRASE=$LINUX_MCP_KEY_PASSPHRASE")
[[ -n "$LINUX_MCP_LOG_LEVEL" ]] && PODMAN_ARGS+=(-e "LINUX_MCP_LOG_LEVEL=$LINUX_MCP_LOG_LEVEL")

PODMAN_ARGS+=("$IMAGE")

exec podman "${PODMAN_ARGS[@]}"